Fun with Google custom searches: Intelligence, secrets and leaks
By: Jamal Bandukwala
http://infosecmindstorm.blogspot.com/
infosecmindstorm
• I blog about various information security topics and do my own research, my blog can be found at http://infosecmindstorm.blogspot.com/
• Going to talk about some of my personal research
2 Black Hat Abu Dhabi 2011
Google Custom Searches
• What are they?
• What exactly am I doing with these searches?
• Why are they useful?
• Will talk about the 3 major searches I have put together, how they differ and what they are useful for.
• Invisible Attacks
3 Black Hat Abu Dhabi 2011
• Google offers a program that allows developers/ users to create their own custom search engines.
• Allows developers/ users to be up and running in minutes using a wizard interface along with more advanced options as needed.
Black Hat Abu Dhabi 2011 4
• This allows the search owner to focus on developing their content and search list.
• Advanced options of note:
• fine tune search results by removing items
• promoting search results
Black Hat Abu Dhabi 2011 5
• on-demand indexing.
• These enable the user to retrieve search results from newly added sources in a shorter time frame.
Black Hat Abu Dhabi 2011 6
Open Source Intelligence Deep Web Search
7 Black Hat Abu Dhabi 2011
8 Black Hat Abu Dhabi 2011
Open Source Intelligence
• Open Source Intelligence (OSINT) is a form of intelligence gathering from open sources.
• Open sources refers to publically available information as opposed to covert information.
• In 2006 the Washington Times had an article discussing how OSINT was becoming increasingly important.
9 Black Hat Abu Dhabi 2011
• I find that the following lines were really significant:
• “A Defense Department official said Chinese military bloggers have become a valuable source of intelligence on Beijing’s secret military buildup. For example, China built its first Yuan-class attack submarine at an underground factory that was unknown to U.S. intelligence until a photo of the submarine appeared on the Internet in 2004.”
• http://www.washingtontimes.com/news/2006/apr/18/20060418-110124-3694r/
10 Black Hat Abu Dhabi 2011
11 Black Hat Abu Dhabi 2011
12 Black Hat Abu Dhabi 2011
• This includes everything from media like newspapers, TV, web content (blogs, wikis, among others), satellite images, public databases, academic journals/ conference info and other publically available information.
• I have put together a customized Google search that runs against a large list of OSINT sources(which I have compiled and actively maintain). This makes it easier for analysts/ researchers to locate useful information.
13 Black Hat Abu Dhabi 2011
• A number of these sites can be found on my blog at infosecmindstorm.
• Useful for gathering political, economic and related intelligence.
14 Black Hat Abu Dhabi 2011
15 Black Hat Abu Dhabi 2011
16 Black Hat Abu Dhabi 2011
17 Black Hat Abu Dhabi 2011
18 Black Hat Abu Dhabi 2011
19 Black Hat Abu Dhabi 2011
20 Black Hat Abu Dhabi 2011
Black Hat Abu Dhabi 2011 21
22 Black Hat Abu Dhabi 2011
23 Black Hat Abu Dhabi 2011
24 Black Hat Abu Dhabi 2011
25 Black Hat Abu Dhabi 2011
26 Black Hat Abu Dhabi 2011
27 Black Hat Abu Dhabi 2011
28 Black Hat Abu Dhabi 2011
29 Black Hat Abu Dhabi 2011
30 Black Hat Abu Dhabi 2011
31 Black Hat Abu Dhabi 2011
32 Black Hat Abu Dhabi 2011
33 Black Hat Abu Dhabi 2011
34 Black Hat Abu Dhabi 2011
35 Black Hat Abu Dhabi 2011
36 Black Hat Abu Dhabi 2011
37 Black Hat Abu Dhabi 2011
Pastebin and collaborative tools
intelligence web search
38 Black Hat Abu Dhabi 2011
• What is a pastebin?
• A site that allows users to post snippets of text for others to view. Different pastebin sites can be targeted towards different audiences.
• Initially used to share source code.
39 Black Hat Abu Dhabi 2011
• These days a number of pastebin sites are used to post spam and also by various parties (including Anonymous and Lulzsec) to leak/ post information.
• I have built up a list of pastebin sites from the most popular ones, to lesser known sites that are run through in my custom search.
40 Black Hat Abu Dhabi 2011
• The list of sites is regularly updated; it is not available to the public as it is confidential; examples of the sites being searched can be found on my blog.
• Searches turn up everything from credit card numbers, leaked databases and vulnerable sites among other things.
41 Black Hat Abu Dhabi 2011
• Some searches that have generated interesting results include the following:
• Defense Industries
• VISA
• Police
• NASA
• Air Force
• World of Warcraft
• Passport Number
42 Black Hat Abu Dhabi 2011
Credit Card Numbers and Sellers
43 Black Hat Abu Dhabi 2011
44 Black Hat Abu Dhabi 2011
45 Black Hat Abu Dhabi 2011
Hacked and Vulnerable Sites
46 Black Hat Abu Dhabi 2011
47 Black Hat Abu Dhabi 2011
48 Black Hat Abu Dhabi 2011
49 Black Hat Abu Dhabi 2011
50 Black Hat Abu Dhabi 2011
51 Black Hat Abu Dhabi 2011
52 Black Hat Abu Dhabi 2011
53 Black Hat Abu Dhabi 2011
54 Black Hat Abu Dhabi 2011
55 Black Hat Abu Dhabi 2011
56 Black Hat Abu Dhabi 2011
Passport Numbers & related information
57 Black Hat Abu Dhabi 2011
58 Black Hat Abu Dhabi 2011
59 Black Hat Abu Dhabi 2011
60 Black Hat Abu Dhabi 2011
61 Black Hat Abu Dhabi 2011
62 Black Hat Abu Dhabi 2011
63 Black Hat Abu Dhabi 2011
64 Black Hat Abu Dhabi 2011
65 Black Hat Abu Dhabi 2011
66 Black Hat Abu Dhabi 2011
67 Black Hat Abu Dhabi 2011
Black Hat Abu Dhabi 2011 68
Black Hat Abu Dhabi 2011 69
Black Hat Abu Dhabi 2011 70
Black Hat Abu Dhabi 2011 71
Black Hat Abu Dhabi 2011 72
Databases & other Confidential information
73 Black Hat Abu Dhabi 2011
74 Black Hat Abu Dhabi 2011
75 Black Hat Abu Dhabi 2011
76 Black Hat Abu Dhabi 2011
77 Black Hat Abu Dhabi 2011
Black Hat Abu Dhabi 2011 78
Black Hat Abu Dhabi 2011 79
Black Hat Abu Dhabi 2011 80
Black Hat Abu Dhabi 2011 81
Black Hat Abu Dhabi 2011 82
Black Hat Abu Dhabi 2011 83
Social Networking Intel/ Footprint web search
84 Black Hat Abu Dhabi 2011
• There are currently more than 60 sites in the custom search. Examples include flickr, linkedin, facebook and Hi5.
• The list of sites is regularly updated; it is not available to the public as it is confidential; examples of the sites being searched can be found on my blog.
85 Black Hat Abu Dhabi 2011
• Searches turn up everything an individual's personal social media page, to events where they were attending or volunteered at.
• I also came across individuals who worked at their organizations or people who knew them personally/ friends.
• Useful for reconnaissance activities- intelligence gathering.
86 Black Hat Abu Dhabi 2011
• If you are a pen tester useful for finding potential targets.
• Was surprised was actually able to get significant information on individuals even if they did not have a direct social media presence themselves.
• In some cases enough information to potentially get an introduction to a person.
87 Black Hat Abu Dhabi 2011
88 Black Hat Abu Dhabi 2011
89 Black Hat Abu Dhabi 2011
90 Black Hat Abu Dhabi 2011
91 Black Hat Abu Dhabi 2011
92 Black Hat Abu Dhabi 2011
93 Black Hat Abu Dhabi 2011
94 Black Hat Abu Dhabi 2011
95 Black Hat Abu Dhabi 2011
96 Black Hat Abu Dhabi 2011
97 Black Hat Abu Dhabi 2011
98 Black Hat Abu Dhabi 2011
99 Black Hat Abu Dhabi 2011
100 Black Hat Abu Dhabi 2011
101 Black Hat Abu Dhabi 2011
102 Black Hat Abu Dhabi 2011
103 Black Hat Abu Dhabi 2011
104 Black Hat Abu Dhabi 2011
Invisible Attacks • A malicious party could hijack an existing
researcher’s identity and offer a custom search targeted at a very specific audience (ie a select group of senior executives).
• The attacker could use the search to provide legitimate results most of the time and by doing so build a level of trust into the search engine.
Black Hat Abu Dhabi 2011 105
• Attacker could enter a temporary site into the engine and then with the custom search in built capabilities promote the results from the newly entered malicious site to the top of the list.
• The actor would promote the malicious url for a short period of time and then remove the url from the custom search altogether.
Black Hat Abu Dhabi 2011 106
• Makes it difficult for investigators/ analysts to:
• capture samples.
• identify source of infection(due to trust factor) and short time to live.
• Depending on the malware determine whether the malicious code is in the environment at all.
Black Hat Abu Dhabi 2011 107
Currently use my research
• My Google Custom Searches are currently used by individuals at various private and government intelligence agencies, organizations and departments including:
• Lascar Intelligence
• Bund Deutscher Kriminalbeamter (German Police)
108 Black Hat Abu Dhabi 2011
• British Department of Defense
• US Army
• iSIGHT Risk Management
109 Black Hat Abu Dhabi 2011
Final Thoughts
• Is All Hope lost? Should we all panic?
• That great philosopher Chicken Little said- The Sky is Falling down. In this case he was wrong.
• We can find a lot of information on the internet including things like credit card numbers, and passport information.
110 Black Hat Abu Dhabi 2011
• Even if you do not have your own social media/ web 2.0 presence, others in your network can put information about you on the web.
• With the information available out there it may be possible to engineer/ create opportunities for meetings with various individuals including political and business power brokers.
111 Black Hat Abu Dhabi 2011
• Running the appropriate searches generates useful political, social, economic and related intelligence.
• Useful for generating information on competing actors, entities and organizations.
• Can be used to possibly obtain information on upcoming threats (both internet based and others) and take the appropriate actions to combat these.
112 Black Hat Abu Dhabi 2011
• Can even use these customized searches with a honeytrap if you suspect an individual in your organization is leaking/ stealing information. You set up the trap and then use the searches to see if the ‘fake’ information becomes available here.
• Yes it’s not a good thing that so much information is out there, but you can take actions to counter this and protect your organization.
113 Black Hat Abu Dhabi 2011
• These same searches can also be used to gather intelligence, anticipate and counter possible threats to an organization.
• The custom search engine owner/ creator and the individual using the searches are both only limited by the content in the search engine and their imagination. The possibilities of what you can find are endless.
114 Black Hat Abu Dhabi 2011
Bibliography
• Bandukwala, Jamal. http://infosecmindstorm.blogspot.com/ (Last visited, Nov 16 2011)
• Google. Google Custom Search APIs and Tools Developer’s Guide. http://code.google.com/apis/customsearch/docs/dev_guide.html (Last visited, Nov 16 2011)
• Jiang, Rui, Google. Improved On-Demand Indexing. Google Custom Search Blog. http://googlecustomsearch.blogspot.com/2011/06/improved-on-demand-indexing.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+blogspot%2FSyga+%28Google+Custom+Search%29 (Last visited, Nov 16 2011)
Black Hat Abu Dhabi 2011 115
Black Hat Abu Dhabi 2011 116
• Shiv Nadar. Wikipedia.com http://en.wikipedia.org/wiki/Shiv_Nadar (Last visited, Nov 16 2011)
• Pastebin. Wikipedia.com http://en.wikipedia.org/wiki/Pastebin (Last visited, Nov 16 2011)
• Washington Times. CIA mines ‘rich’ content from blogs. http://www.washingtontimes.com/news/2006/apr/18/20060418-110124-3694r/ (Last visited, Nov 16 2011)
• Zelster, Lenny. Pastebin used for sharing stolen data. http://blog.zeltser.com/post/7033873645/pastebin-used-for-sharing-stolen-data) (Last visited, Nov 16 2011)
Thank You!
Black Hat Abu Dhabi 2011 117
Please turn in your completed
feedback form at the
registration desk.